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Abstract 

This paper presents a simple, but efficient class of non-interactive protocols for quantum authen- 
tication of m-length classical messages. The message is encoded using a classical linear algebraic 
code C[n,m,t]. We assume that Alice and Bob share a classical secret key xab^ of n bits. Alice 
creates n qubits based on the codeword and the key, that indicates the bases used to create each 
qubit. The quantum states are sent to Bob through a noiseless quantum channel. We calculate 
the failure probability of the protocol considering several types of attacks. 
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I. INTRODUCTION 



Authentication is a procedure to verify that a received message comes from a certain 
entity, and have not been altered. Classical cryptography describes several techniques to 
implement authentication. The Message Authentication Code (MAC) presumes the exis- 
tence of a secret key shared among the two parts, A (Alice) and B (Bob). The coding 
algorithm generates a tag, known as a cryptographic checksum, which is a function of the 
message and the key. The tag is attached to the message. The recipient performs the 
same calculation on the received message, using the same secret key, to generate a new tag 
to be compared to the received tag. Identical tags indicate that the received message is 
authentic 

The discovery and formalization of quantum mechanics duringthe last century motivated 
studies in the fields of computation and information theories Uy,!^. Effects like entangle- 
ment and the discovery of EPR pairs made possible quantum states teleportation . Some 
problems computationally intractable in the classical world, as factorization, are solved using 
polynomial algorithms running on a quantum computer. The development of such technol- 
ogy would make unfeasible, for example, public key cryptographic systems, whose security 
is based on the inefficiency of classical factorization algorithms [l| . One of the most interest- 
ing applications of quantum information theory is quantum cryptography. In 1970, Wiesner 
showed that quantum mechanics properties could be used for such end, but his work was 
only published in 1983 0. Later, Bennett and Brassard described a quantum key distri- 
bution^rotocol known as BB84 |7[. There exist several proofs of unconditional security of 
10 1 , even against any collectives attacks jll|. 



BB84 



Until the last decade, the expression "quantum cryptography" referred basically to pro- 
tocols for quantum key distribution (QKD). Recently, several researches have been made 
in the sense of applying quantum mechanics resources in the resolution of others problems 



related to the data security. The first works deals to the key verification 



thentication 



121 and user au- 



14L 3] • Key verification consists of assuring the legitimacy of the two parts 



involved in a key distribution scheme, and that the established key is authentic. User au- 
thentication, also called user identification, allows a system to determine the users identity 
that wants to use it. 

Curty and Santos proposed a protocol to quantum authentication of unitary-length 
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classical messages (bit). As for the secret key, they use a maximally entangled EPR pair 
previously shared between Alice and Bob. For each message, an EPR pair is used. Alice 
needs to generate, through a unitary operation, a quantum state, called quantum tag, which 
depends on the qubit that represents the classical bit and her part of the EPR pair. For 
the types of attacks discussed, the probability that Eve deceives Bob was 0.5 < -P^ < 1, 
depending on the choice of the unitary operation. Later, the same authors proposed a 
protocol to quantum authentication of unitary-length quantum messages (qubit) 17[. The 
second protocol is a generalization of the first, where the quantum tag now belongs to a 
state space of dimension equal to or greater than the dimension of the message state space. 

Recently, Barnum et al. jl^ described a protocol to authenticate quantum messages 
of length m. They propose a scheme that both enables Alice to encrypt and authenticate 
(with unconditional security) an m qubit message by using a stabilizer code to encode 
the message into m + s qubits, where the failure probability decreases exponentially in 
the security parameter s. Such scheme requires a private key of size 2m + 0{s) to be 
shared between Alice and Bob. To archive this, the authors proposed a protocol for testing 
the purity of shared EPR pairs. This protocol needs quantum circuits for the coding and 
decoding operations. 

In this paper we address the problem of authenticating classical messages of length m 
transmitted over a noiseless quantum channel. We propose a non-interactive scheme that 
just requires preparation of quantum states into orthornormal bases, transmission and mea- 
surements of these states in the same bases. To reach a wished security level, the message 
should be coded using a classical linear algebraic code C[n,m,t] |19j. After the coding op- 
eration, Alice creates n qubits based on the chosen codeword and on a secret key of n bits, 
xab, previously shared with Bob. The key indicates the bases used by Alice and Bob for the 
creation and measurement of the qubits. Bob assumes that no forgery has taken place and 
that the message is authentic if the result of the measurement is a codeword c G C[n,m,t]. 
We consider two types of attacks, the no-message and intercept-resend attacks. We calculate 
the probability of a eavesdropping successfully forger a message to deceive Bob. As we will 
show, this probability depends on the parameters n and t of the code C[n, m, t]. 



3 



II. A PROTOCOL TO QUANTUM AUTHENTICATION OF m-LENGTH CLAS- 
SICAL MESSAGES 



Suppose Alice wants to send Bob a m-bits certified message, ki, chosen from a set 
K = {ki} = {0,1}"^. Bob, when receiving the message, should be able to infer about 
its authenticity, i.e., if the message was sent by Alice or not. The protocol described in 
this section makes use of a classical linear algebraic code C[n, m, t] with parity check matrix 
H, and a noiseless quantum channel for transmission of coded messages. For each message 
ki & K we associate a codeword Cj e C. Participants must share a classical secret key of n 
bits, xab, chosen in a random and independent way. 

The authentication procedure is described as follows. Initially, Alice and Bob define 
two orthonormal bases for the 2-dimension Hilbert space, Z = {|0), |1)} and X = {\+) = 
^(|0) + |1)), |-) = ^(|0) - |1))}. When Alice needs to send the message kA, she computes 
the corresponding codeword ca- For each bit of ca, Alice prepares a quantum state 1-0^) 
based on the corresponding key bit. Then, if the j-th bit of xab is 0, Alice prepares 
using Z basis, such that 

{10) if the j-th bit of CA is 
(1) 
|1) if the j-th bit of ca is 1. 

Similarly, if the j-th bit of xab is 1, Alice prepares using X basis, such that 

if the 7-th bit of ca is 

l%) = ^ ' (2) 

if the j-th bit of is 1. 

After the qubits generation, Alice sends the state to Bob through the quantum 

channel. 

At the reception. Bob makes measurements to obtain a sequence uib oi n bits. For the 
j-th received qubit. Bob measures it using the basis Z or X depending on the j— th bit of 
Xab is or 1, respectively. Because the quantum channel is perfect, Bob recognizes that the 
message is authentic if is a codeword, i.e., tubH^ — 0. Then, Bob decodes tub to obtain 
the authentic message. Otherwise, Bob assumes that Eve tried to send him an unauthentic 
message. He then discards the received message. After each transmission, Ahce and Bob 
discard the key xab- 




III. SECURITY ANALYSIS 



In this section we analyze the security of the proposed protocol, for the case of a noiseless 
quantum channel connecting Alice and Bob. Two types of attacks will be considered: the 
no-message attack and the intercept-resend attack. In the first one, Eve prepares a quantum 
state and sends it to Bob. In the second. Eve intercepts the qubits and performs measure- 
ments in attempting to obtain some information about the message sent by Alice. Then, 
Eve exploits the information gained to prepare possibly another message that she sends to 



For the analysis, we consider that the linear code C and the mapping ki — > Cj are publicly 
known, what is a realist assumption. 

A. No-Message Attack 

We analyze here the case where Eve precedes Alice and sends Bob a quantum state 
\^l)e) — iV'e^)®"^ trying to impersonate Alice. Let Eve choose a message /c^, with associated 
codeword ce- Because Eve does not know anything about the key xab, she chooses a random 
sequence to indicate the bases used to create the qubits. 

To calculate the protocols failure probabihty P/, we define, for each message bit, three 
events: Si = Eve chooses the same basis than Bob; 62 = Eve chooses a different basis from 
Bob; and £3 = Bob obtain, after measurement, the same bit that Eve sent. The probability 
Pf that Eve cheats Bob is therefore. 



The first conditioned probability, P{e3\ei), is equal to 1 due to the fact that, when Eve 
chooses the same basis that Bob uses to measure the qubit. Bob will always obtain by the 
measurement the same bit that Eve wished send to him. When Eve misses the basis. Bob 
measures the same bit sent by Eve with probability P(£3|£2) = 1/2. Then, 



Bob. 



Pf = {P{es\e,)P{e,) + P{es\e2)P{e2)r. 



(3) 



= (3/4)". 



n 



(4) 
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B. Intercept-Resend Attack 



In this type of attack, Eve segments the quantum channel between Ahce and Bob, inter- 
cepts and measures the quantum states that are being transmitted to Bob. Based on the 
gained information. Eve prepares another message of her interest and sends it to Bob. 

Since Eve has no information about the secret key xab, she must initially choose her 
bases sequence, called here xe, to measure the qubits. We investigate here an eavesdropper 
strategy where Eve attempts to decode correctly the n bit string resulting from measure- 
ments, to obtain the codeword sent by Alice. If Eve makes this successfully, she can exploit 
the gained information to partially correct her key xe, forge an authentic message and send 
it to Bob. 

Suppose Alice generates the quantum state iV'j)'^" based on the codeword ca, corre- 
sponding to the message kA, and the classical secret key xab shared with Bob. Initially, 
we calculate the probability P^^c of Eve decodes successfully the bit string resulting from 
measurements to obtain ca- To perform this, we employ the error correction properties of 
the code C together with our strategy to create the quantum states. Let ttie the n-bits 
sequence resulting of Eves measurements using her key xe randomly generated. Define the 
random variable X = number of bits of Eves key xe, that coincides with the bits of Alice 
and Bobs key xab- If e = m^; + is the error vector when Eve measures l^/'j)®", then 

Pdec = P{w{e) < t) 

n-t-1 

= J2 = ^)Piwie) < t\X = i) 

i=0 

n 

+ ^P(X = .), (5) 

i=n—t 

where w{e) stands for error vector Hamming weight Because if Eves bases sequence xe 
matches xab in n — t — 1 or more positions, then the error vector weight is always less than 
or equal to t, i.e., P{w{e) < t\X = i) = 1 since i > n — t. 

It is straightforward to see that X has a binomial distribution with p = 1/2, 

P{X = z) = (1/2)^(1/2)— 
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Thus, for any realization oi X , X — i, Eve knows with probabihty one that i bits oi niE 
are correct bits. Among n — i remaining bits of m^, Eve should measure correctly at least 
n — i — t bits to be able to correct the word. But, if Eve misses the basis, she has probabihty 
p = 1/2 of still obtain the correct bit. So, forO<i<n — t — 1 

P{w{e) < = = E f ! 7 ' ) (1/2)— '^(1/2)'^ 



h=0 
t 



h=0 

The probabihty Pdec is then 



n-t-l t 

' n \ I n — I 



i=Q h=Q 

n 



=n—t 



The decoding probability found above depends on the parameters n and t of the chosen 
code. Once Eve decodes successfully the codeword sent by Alice, there is an increase on 
the failure probability of the system. This is because Eve gains information from Alice and 
Bob's secret key, allowing Eve partially corrects its key xe- To achieve this, she compares 
the bits of mg with the bits of ca- Eve concludes that chose wrong bases in the positions 
where differ with ca- She then flips the incorrect bits of xe to obtain a new key x'^. 

For the scenario described above, it is possible to calculate the systems failure probability. 
Assume that when Eve decodes a message correctly, she corrects t positions oi xe- Define 
the events: £i = Eve guesses i positions of xab and decodes ttie correctly; £ = Bob accepts 
the received message as authentic. If Eve chooses a message to transmit and creates the 
quantum state |^_b)®" based on the corresponding codeword and the corrected key xe, the 
protocols failure probability Pj- can be written as 



n-t-l 



j=0 i=n—t 

When Eve guesses more than n — t — 1 bases, she decodes the message correctly, and she 
can correct entirely its key to obtain x'^ — xab- Therefore, Eve always deceives Bob, i.e., 
P{e\ei) — 1 ioT n — t < i < n. 

To calculate the conditioned probabihty P{e\ei), it is enough to notice that i bits of xab 
were initially correct and t bits were corrected. Therefore, there exists w{xab+xe) — n—t—i 



incorrect bits in xe- Although Eve misses the basis, there is a probabihty equals to 1/2 of 
Bob measures the same bit sent by Eve, so that 



P{e\ei) = 2-("~*-*). (10) 

The probability P{ei) it was previously discussed [Eqs. ((Zj) and ©]• For < i < n — t — 1, 

h=o ^ / ^ / 

and for i > n — t, 



^(^.) = (?)2-^ (12) 



so that the probability Pi is 



/ 

n-t-l t 

i J \ n — i — h 



i=0 h=0 

'n 
i 



i=n—t 



+ E " (13) 



IV. PROTOCOL SUMMARY 

Considering that Alice and Bob share a random secret key xab and they agree on a 
linear algebraic code C[n, m, t], the proposed protocol for quantum authentication of classical 
messages can be summarized as follows: 



1. Alice chooses G C corresponding to k^- 

2. Alice creates n qubits in the bases Z oi X , depending on xab- She sends the qubits 

through the quantum channel. 

3. Bob chooses the bases used in the measurements according with xab- The measurement 

results is a n-bits sequence m^. 

4. Bob performs a parity test on m^. Case ttibH^ ^ 0, the message is discarded (Eve 

interfered in the channel). If passes the parity test {rriBH^ = 0), Bob obtains 
the message /ca decoding ttib = ca- 
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TABLE I: Security of the protocol for some binary BCH codes. 



C[n, m, t] 


Pf 




I 


C[63,57, 1] 


1.3 X 10"^ 


4.1 X 10-1^ 


2.8 X 10-13 


C[63,51,2] 


1.3 X 10"^ 


4.4 X 10-16 


5.5 X 10-13 


C[63, 18, 10] 


1.3 X 10^^ 


3.1 X 10"^ 


3.2 X 10-^ 


C[63, 10, 13] 


1.3 X 10"^ 


3.7 X 10-^ 


3.7 X lO-'^ 


C[127, 120, 1] 


1.4 X 10-^^ 


3.0 X 10-32 


2.4 X 10-26 


C[127,113,2] 


1.4 X 10"^^ 


5.0 X IQ-^'^ 


4.8 X 10-26 


C[127,36, 15] 


1.4 X 10"^^ 


1.0 X 10-20 


1.1 X 10-20 


C[127,22,23] 


1.4 X 10~^^ 


1.8 X 10-1^ 


1.8 X lO-i'' 



V. DISCUSSION 



According with the analyses presented in the section IIIH the security of our protocol 
depends on the parameters n and t of the linear algebraic code C[n, m, t] chosen. Moreover, 
the failure probabilities can be made as small as wished. To have an idea of such security, 
we calculated the probabilities discussed for several binary BCH codes of lengths n = 63 
and n = 127 Q (Table HI). 

When the message to be send is a random sequence of bits, the classical message authen- 
tication codes (MAC) presents only a computational security, even when a larger key is used 
to produce the authentication block The class of protocols described here presents an 
information theoretic security, rather than based on computational assumptions. 

The size of the used secret key is another important aspect. In general, if i? = m/n is the 
rate of the linear code C[n,m,t], the length of the key will be 1/i? times the length of the 
message. For example, for the code C[127, 120, 1], it is only necessary a key whose length is 
(127/120) = 1, 06 times the length of the message to guarantee, in the worst case, a failure 
probability of 1.4 x 10~^^. 

Moreover, there exists a possibility of reusing the secret key for Alice and Bob, since in 
quantum systems it is possible to identify an attempt to perturbing the states transmitted 
through the channel. If the quantum channel can be considered perfect and Bob receives an 
authentic message, he can conclude that no eavesdropper was present. Then, the secret key 
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can be reused without compromise the security of the protocol. 

Comparatively to others quantum schemes to authenticate classical messages present in 
the literature, the protocol described here has advantages in terms of simplicity and use of 
quantum resources. The Curty and Santos's protocol needs a quantum operation to generate 
a quantum tag to be send attached to the message. Moreover, the security of such protocol 
depends on the choice of the unitary operation. However, the authors did not show the 
existence of a optimum unitary operation that minimize the failure probability [W]. 

A disadvantage of our scheme is the use of a classical secret key. This means that it 
is possible to read or copy the key by a third part during storage process, without being 
detected. This problem will only be solved with the improvement of equipments to storage 
quantum states. 

VI. CONCLUSIONS 

In this work we presented a simple, but efficient non-interactive scheme for quantum 
authentication of m-length classical messages. The described protocol make uses of a linear 
algebraic code C[n,m, t] to encode the message and a classical secret key of n bits. The 
quantum states are created based on the codeword, where the key bits are used to choose 
the bases. Then, the qubits are transmitted through a quantum channel. 

According with quantum mechanics theory and considering the systematic adopted in 
the quantum states creation, the protocols failure probabilities were calculated. In general, 
these probabilities depend on the choice of the parameters n and t of the code, and we can 
make them as small as desired. The security of the proposed protocol does not depend, 
therefore, on computational assumptions. 
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